What's real and what's not in web security

Richard Power talks with WhiteHat Security's Jeremiah Grossman about Cross-Site Scripting, penetration testing and much more

This is the third in a series of interviews with C-level executives responsible for cyber security and privacy in business and government, who also happen to be thought leaders. (Remember, as I mentioned previously, "C-level executive" and "thought leader" are not synonyms.)

In this issue, I discuss a range of issues related to the hard work of web security with Jeremiah Grossman, founder and Chief Technology Officer of WhiteHat Security. He is responsible for web application research and development, and is a high-profile industry evangelist, taking his message far and wide from the familiar haunts of BlackHat Briefings and other cyber security venues even unto the rarified air of TEDxMaui. A founding member of the Web Application Security Consortium (WASC), Grossman is a leading voice in web application security. Before launching WhiteHat, Grossman worked as an information security officer at Yahoo!

Richard Power: You have a unique vantage point to assess the "facts on the ground" in cyberspace. Give us a sense of the scope and range of sites, sectors, security systems, etc. that your team has a window into?

Jeremiah Grossman, WhiteHat Security: All industry reports agree, most "hacking" and "loss or records" these days are the result of a web-based compromise -- either through a website or a Web browser. WhiteHat Security performs regular vulnerability assessments on over 8,000 of the Internet's most high profile websites, including online banks, e-retailers, healthcare providers, etc. The security of better than 80 percent of those websites can be swiftly compromised; easily resulting in fraud, theft of consumer information, and so on.

[Also read Software security for developers]

More than that, our work measures what types of issues are most common and how long the vulnerabilities persist - which is typically weeks to months. This data is highly unique and difficult to come by, as it requires special privileges granted by our customers to test their systems.

Power: And what are the "facts on the ground" in cyberspace? What jumps out at you in what you are seeing 24x7? What is trending up? What is trending down? What is overhyped? What is underestimated?

Grossman: The 2011 Verizon Data Breach Investigations Report (DBIR), which has tracked thousands of cyber-crime cases over the past decade, has this to say: Amongst large organization (1,000 or more employees), Web applications were the initial hacking vector in 54 percent of breaches and represented 39 percent of the compromised records. Going back as far as the2008 Verizon DBIR the message was the largely identical, Web application hacking was one of the largest causes of breach and data loss. Furthermore, studies published by 7Safe, UK Security Breach Investigations Report, analyzed 62 cybercrime breach investigation and states that in "86 percent of all attacks, a weakness in a web interface was exploited" (vs. 14 percentinfrastructure) and the attackers were predominately external (80 percent).

Combine this knowledge with the targeted Web-related attacks against Sony, Citibank, Google, Adobe, Yahoo!, the US House of Representatives, Amnesty International, Stratfor, Heartland Payment Systems, bank after bank, university after university, country after country -- the story is the same. It's a Web security world and the lesson is clear: secure your Web application code or risk your online business.

Internet Security Hacking and Threats...Trending Up: Website, Web browser, OS X Trending Down: Windows exploitsOverhyped: Mobile, Cloud, Social NetworkingUnderestimated: Intranet hacking, SaaS third-party software hacking

Power: What direction do you see penetration testing going? What are some of the challenges?

Grossman: If today's Web security challenges are to be overcome, then scalability is what we need; scalability of people, scalability of process, and scalability of technology. Without the ability to scale globally, and Web security is a global issue, our problems will remain too costly to solve. Consider that there are 676+ million websites, millions more added every month, an unknown number of Intranet Web applications, 17+ million developers, and over one billion people on the Web. As the Web takes center stage in IT security, pen-testers and vulnerability assessment providers must be capable of more than spotting the weaknesses and relaying generic advice on an annual basis. They'll need to offer strategic planning regarding where to start, what should be done next, how to align incentives, track progress, measure success, and more importantly justify investment.

Power: What are some of the most common issues you see in terms of security exposures? What are some of the counter-measures that are most under-utilized?

Grossman: Cross-Site Scripting, SQL Injection, Cross-Site Request Forgery, and Information Leakage are by far the most pervasive website vulnerabilities that routinely lead to compromise. The technical counter-measures are input validation, output filtering, parameterized SQL, and secure configuration. From an organizational standpoint the #1 issue is not knowing what websites they own, what they do, or what they are vulnerable to. Solving that problem will go along way to preventing major compromises.

Power: Wikileaks, Anonymous, Stuxnet, three very different stories, but all of earth-shaking significance, and brimming with implications about public policy, geopolitics, even culture. But looking at them from the operational plane, in the private sector, what are some lessons learned to draw out, and some consequences and implications to be factored in, for those responsible for IT and web security and those responsible for governance?

Grossman: Pick your favorite cyber-security story, or all of them, and it all boils down to one of three forms of criminal hacking behavior -- Cyber-War, Cyber-Crime, and Hacktivism. All very real threats, but each speak to a different motivation, even if the attack techniques they each employ are similar.

In Cyber-War, the bad actors are nation-state supported who desire military / government secrets, intellectual property, and command-and-control over their enemies systems.

In Cyber-crime, all the bad guys are after is money in the form or hard cash or information that's easily to monetized.

Hacktivism represents a political agenda, a way to push out a message to a larger audience. In all cases, understanding an attackers motivation, sophistication, and persistence is critical to operational security for two reasons.

1) Reaching a state of perfect security is clearly a fantasy, or at least prohibitively expensive, but it also may be unnecessary.

2) Every organization is either a target of opportunity, or a target of choice, the bad guy chooses which.

[See Anonymous and LulzSec: 10 greatest hits]

If an organization is a target of opportunity, operational security goals should be set to achieve the security posture equal to or greater than the peer group average. If a target of choice, then an organizations security posture must be as good as possible and/or amongst the peer group leaders. In either case, he idea is to invest security dollars in a way that increases the costs of successfully breaching security to the point where an attacker gives up or goes elsewhere.

Power: How does an organization that avails itself of your services make it worthwhile? How does it turn your findings into improved security? What are the enablers? What are the impeding factors?

Grossman: WhiteHat Sentinel drives two key organizational security metrics, "how am I doing over time" and "how am I doing relative to my peers." Every organization developing code, especially production Web code, is going to have vulnerabilities. That alone is not an indictment of their security program. We help organizations track their average number of vulnerabilities, their percentage of remediation, and how fast remediation takes place. When you pair this data against the value of a website to an organization the result is insight that's invaluable to proper risk management. It helps answer the questions such as, "are we doing enough," "are we doing the right things," "and how can we invest our security resources more wisely." The impediments to this process are a lack of proper website asset management. Again, the vast majority of organizations don't know what websites they own, what they do, or what their worth.

Power: Where do you see your company going? What's its trajectory?

Grossman: We're presently performing assessment on 8,000. To put this in context, there are 1.6 million websites serving up SSL certificates, so we got a long way to go! We'll get there though. The Web is just too important to civilization not to protect it.

Richard Power is a Distinguished Fellow and Director of Strategic Communications at Carnegie Mellon University CyLab, one of world's leading academic cyber security research programs. His office is at the Carnegie Mellon University's Silicon Valley campus in NASA Research Park (Mountain View, California).

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
How much is a data breach going to cost you?